Connect errors with OpenSSL 1.0.1e and 1.0.2g: OpenSSL.SSL.Error: [('SSL routines', 'SSL3_GET_SERVER_HELLO', 'serverhello tlsext')]

[ShaneHarvey]

I'm currently trying to debug why pymongo with pyOpenSSL cannot connect to MongoDB Atlas with PyPy (2 or 3) on RHEL 6.2 with OpenSSL 1.0.1e and Ubuntu 16.04 with OpenSSL 1.0.2g.

The error I get with PyPy 3.6 on RHEL 6.2 with OpenSSL 1.0.1e is OpenSSL.SSL.Error: [('SSL routines', 'SSL3_GET_SERVER_HELLO', 'serverhello tlsext')]:

(venvpypy3.6) [root@ip-10-122-29-16 tmp]# python atlasconnect.py
/root/tmp/venvpypy3.6/site-packages/cryptography/hazmat/bindings/openssl/binding.py:163: CryptographyDeprecationWarning: OpenSSL version 1.0.1 is no longer supported by the OpenSSL project, please upgrade. The next version of cryptography will drop support for it.
  utils.CryptographyDeprecationWarning
Traceback (most recent call last):
  File "/root/tmp/venvpypy3.6/site-packages/pymongo/pool.py", line 1002, in _configured_socket
    sock = ssl_context.wrap_socket(sock, server_hostname=host)
  File "/root/tmp/venvpypy3.6/site-packages/pymongo/pyopenssl_context.py", line 313, in wrap_socket
    ssl_conn.do_handshake()
  File "/root/tmp/venvpypy3.6/site-packages/pymongo/pyopenssl_context.py", line 116, in do_handshake
    return self._call(super(_sslConn, self).do_handshake, *args, **kwargs)
  File "/root/tmp/venvpypy3.6/site-packages/pymongo/pyopenssl_context.py", line 107, in _call
    return call(*args, **kwargs)
  File "/root/tmp/venvpypy3.6/site-packages/OpenSSL/SSL.py", line 1934, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/root/tmp/venvpypy3.6/site-packages/OpenSSL/SSL.py", line 1671, in _raise_ssl_error
    _raise_current_error()
  File "/opt/python/pypy3.6/lib_pypy/_functools.py", line 80, in __call__
    return self._func(*(self._args + fargs), **fkeywords)
  File "/root/tmp/venvpypy3.6/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'SSL3_GET_SERVER_HELLO', 'serverhello tlsext')]

PyPy 3.6 RHEL 6.2 environment:

$ pip list
Package          Version
---------------- ---------
attrs            20.3.0
certifi          2020.12.5
cffi             1.14.2
chardet          3.0.4
cryptography     2.8
greenlet         0.4.13
idna             2.10
pip              20.3.2
pyasn1           0.4.8
pyasn1-modules   0.2.8
pymongo          3.11.2
pyOpenSSL        19.1.0
readline         6.2.4.1
requests         2.25.0
service-identity 18.1.0
setuptools       51.0.0
six              1.15.0
urllib3          1.26.2
wheel            0.36.2

Python version:

$ python --version
Python 3.6.9 (d38cd66c14b8, Sep 23 2020, 08:01:17)
[PyPy 7.3.2 with GCC 7.3.1 20180303 (Red Hat 7.3.1-5)]

OpenSSL version that cryptography was built against:

$ openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

The error I get with PyPy 3.6 on Ubuntu 16.04 with OpenSSL 1.0.2g is OpenSSL.SSL.Error: [('SSL routines', 'ssl_parse_serverhello_tlsext', 'serverhello tlsext'), ('SSL routines', 'ssl3_get_server_hello', 'parse tlsext')]:

(venvpypy3.6) ubuntu@ip-10-122-27-87:~/tmp$ python atlasconnect.py
/home/ubuntu/tmp/venvpypy3.6/site-packages/cryptography/hazmat/bindings/openssl/binding.py:177: CryptographyDeprecationWarning: OpenSSL version 1.0.2 is no longer supported by the OpenSSL project, please upgrade. The next version of cryptography will drop support for it.
  utils.CryptographyDeprecationWarning,
Traceback (most recent call last):
  File "/home/ubuntu/tmp/venvpypy3.6/site-packages/pymongo/pool.py", line 1002, in _configured_socket
    sock = ssl_context.wrap_socket(sock, server_hostname=host)
  File "/home/ubuntu/tmp/venvpypy3.6/site-packages/pymongo/pyopenssl_context.py", line 313, in wrap_socket
    ssl_conn.do_handshake()
  File "/home/ubuntu/tmp/venvpypy3.6/site-packages/pymongo/pyopenssl_context.py", line 116, in do_handshake
    return self._call(super(_sslConn, self).do_handshake, *args, **kwargs)
  File "/home/ubuntu/tmp/venvpypy3.6/site-packages/pymongo/pyopenssl_context.py", line 107, in _call
    return call(*args, **kwargs)
  File "/home/ubuntu/tmp/venvpypy3.6/site-packages/OpenSSL/SSL.py", line 1934, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/home/ubuntu/tmp/venvpypy3.6/site-packages/OpenSSL/SSL.py", line 1671, in _raise_ssl_error
    _raise_current_error()
  File "/opt/python/pypy3.6/lib_pypy/_functools.py", line 80, in __call__
    return self._func(*(self._args + fargs), **fkeywords)
  File "/home/ubuntu/tmp/venvpypy3.6/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'ssl_parse_serverhello_tlsext', 'serverhello tlsext'), ('SSL routines', 'ssl3_get_server_hello', 'parse tlsext')]

PyPy 3.6 on Ubuntu 16.04 environment:

(venvpypy3.6) ubuntu@ip-10-122-27-87:~/tmp$ openssl version
OpenSSL 1.0.2g  1 Mar 2016
(venvpypy3.6) ubuntu@ip-10-122-27-87:~/tmp$ pip list
Package          Version
---------------- ---------
attrs            20.3.0
certifi          2020.12.5
cffi             1.14.2
chardet          3.0.4
cryptography     3.1.1
greenlet         0.4.13
idna             2.10
pip              20.3.2
pyasn1           0.4.8
pyasn1-modules   0.2.8
pymongo          3.11.2
pyOpenSSL        19.1.0
readline         6.2.4.1
requests         2.25.0
service-identity 18.1.0
setuptools       51.0.0
six              1.15.0
urllib3          1.26.2
wheel            0.36.2

I know pyOpenSSL has already dropped support for these versions of OpenSSL but as far as I can tell I'm using older versions of pyOpenSSL+cryptography which should be compatible. What do these errors mean?

[alex]

These errors come directly from OpenSSL, without further research I don't know off hand. Off the cuff they look like the client is unhappy with something in the structure of the ServerHello TLS packet that the server sent, and I'd probably start by looking at those packets in wireshark.

This is the limit of how much help we can provide for out-of-support versions.